Wouter Verhelst <[email protected]> writes: > Or is it useful to be able to say "if it doesn't check out, it's > certainly corrupt, and if it does check out, it may be corrupt"? Didn't > think so.
I don't understand why you say this. Cryptographic attacks on MD5 aren't going to happen as a result of random file corruption. The MD5 checksums are still very effective at finding file corruption or modification from what's in the Debian package unless that modification was done by a sophisticated attacker (MD5 preimage attacks are still not exactly easy). Detecting compromises is useful, but only a small part of what the MD5 checksums are useful for. I'd more frequently use them to detect well-intentioned but misguided meddling by a local sysadmin. I certainly don't object to replacing them with SHA1 hashes, although signed deb packages would still be my preferred solution to this problem. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
